Critical Siemens Simcenter Vulnerabilities Expose Engineering Workstations to Remote Code Execution

Engineering and manufacturing firms rely heavily on advanced simulation tools like Siemens Simcenter Femap and Nastran to analyze product performance and structural integrity. However, a recent advisory from CISA highlights a dangerous reality: the very files engineers use to model stress and dynamics can be turned into cyber weapons.

Six high-severity vulnerabilities (CVE-2026-23715 through CVE-2026-23720) have been identified, allowing attackers to execute arbitrary code simply by tricking a user into opening a malicious file.

The Vulnerability Deep Dive

The core issue lies in how these applications parse data files—specifically those in NDB and XDB formats. These formats are industry standards for storing finite element models and analysis results. The vulnerabilities identified involve memory corruption errors, including Out-of-Bounds (OOB) Reads, OOB Writes, and Heap-based Buffer Overflows.

When an application encounters a malformed file structure that it doesn't handle correctly, it can read or write data outside the bounds of its allocated memory. In the case of Simcenter Femap and Nastran, an attacker can craft an NDB or XDB file that, when parsed, triggers a heap-based buffer overflow (CWE-122) or an out-of-bounds write (CWE-787).

The Attack Vector

Because these vulnerabilities have a CVSS v3.1 base score of 7.8 (HIGH), the impact is significant. While the attack vector is local (AV:L), the complexity is low (AC:L), and user interaction is required (UI:R). This scenario is ripe for social engineering attacks.

An attacker could send a spoofed email to an engineer appearing to be a design update or a vendor file. Once the user opens the file in the vulnerable version of the software, the attacker's payload executes within the context of the user's session. Given that engineering workstations often have high privileges or access to sensitive intellectual property, the risk of data theft or ransomware propagation is substantial.

Affected Products

The following versions of Siemens Simcenter are affected:

• Simcenter Femap: Versions prior to 2512
• Simcenter Nastran: Versions prior to 2512

Detection and Threat Hunting

Security teams need to identify vulnerable versions immediately and detect potential exploitation attempts. Since the exploit requires file interaction, monitoring for suspicious process spawning from the engineering applications is critical.

1. Identify Vulnerable Installations

Use the following PowerShell script to query the registry for installed Simcenter versions and check if they are below the patched version 2512.

# Check for Siemens Simcenter Femap and Nastran versions < 2512
$products = @("Simcenter Femap", "Simcenter Nastran")
$installedApps = Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*"
$installedApps += Get-ItemProperty "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"

foreach ($app in $installedApps) {
    if ($app.DisplayName -match ($products -join '|')) {
        # Attempt to parse version to integer for comparison
        if ($app.DisplayVersion -and [int]$app.DisplayVersion -lt 2512) {
            Write-Host "[ALERT] Vulnerable Installation Found: $($app.DisplayName) - Version: $($app.DisplayVersion)"
        }
    }
}

2. Hunt for Suspicious Child Processes

If a malicious file is opened, it may attempt to spawn a shell or other unauthorized process. You can use KQL in Microsoft Sentinel or Defender to monitor for Simcenter applications spawning cmd.exe, powershell.exe, or other binaries commonly used in post-exploitation.

DeviceProcessEvents
| where InitiatingProcessFileName in~ ("femap.exe", "nastran.exe")
| where ProcessCommandLine contains "powershell" or 
      ProcessCommandLine contains "cmd.exe" or 
      ProcessCommandLine contains "whoami" or
      ProcessFileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine
| order by Timestamp desc

Mitigation Recommendations

Siemens has released updates to address these flaws. Security Arsenal recommends the following actions:

1. Patch Immediately: Upgrade Simcenter Femap and Simcenter Nastran to version 2512 or later.
2. Strict File Handling: Do not open NDB or XDB files from untrusted sources. Implement strict email filtering to block these file types if possible, or sandbox them before delivery to engineering endpoints.
3. Network Segmentation: Following CISA recommendations, ensure engineering workstations are isolated from the broader business network. They should not be accessible from the internet.
4. Application Whitelisting: Consider implementing application control policies (e.g., AppLocker) to prevent unauthorized processes from being spawned by the engineering software suite.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub